Decide whether single sign-on with Azure Virtual Machines is right for your organization


Applies to: Office 365

Summary: Helps you decide whether Office 365 with single sign-on using Azure Virtual Machines is right for your organization.

We're listening to your feedback and consolidating all our Office 365 deployment content. On July 1st, 2015, all information in this guide will be moved to, and these pages will be removed from TechNet. As you review the content still on TechNet, you'll notice many have links pointing to the new content already on

To explore content available on, start with the Office 365 for business - Admin Help page.

Before you decide to deploy Office 365 directory integration components on Azure Virtual Machines, you should take the time to consider the following:

  • Do you really need AD FS?

    Office 365 doesn’t require every customer to deploy directory synchronization services or Active Directory Federation Services (AD FS). In reality, most organizations require only cloud identities, where users receive cloud credentials for signing in to Office 365 services. The cloud ID password policy is stored in the cloud with the Office 365 service. Cloud credentials are separate from other desktop or corporate credentials.

    Using cloud identities, one optional server may be deployed to support directory synchronization from your on-premises Active Directory. In environments with just a few users, directory synchronization isn’t required. Users may be provisioned manually through the Office 365 portal.

    Federated identities, on the other hand, enable users to sign in to Office 365 services by using their Active Directory credentials. The corporate Active Directory authenticates the users, and then stores and controls the password policy.

    Deploying AD FS requires additional expertise, introduces complexity, and has higher operational costs.

    For more information about Office 365 user account types and to get a detailed description of cloud identities versus federated identities, see Office 365 User Account Management.

  • What business problems are you trying to solve?

    Deploying directory synchronization and AD FS components to Office 365 on virtual machines has a number of benefits. However, this deployment may add complexity to your infrastructure and may require additional expertise.

    You should consider deploying Office 365 directory integration components on virtual machines if it’s justified only by an actual business requirement. This justification may be to better align with your cloud strategy to avoid further on-premises hardware investments or as a necessary mitigation for an unreliable on-premises infrastructure.

  • Are you comfortable with the requirements?

    There are several technical requirements that apply to the deployment of Office 365 directory integration components on virtual machines as well as possible security implications. Use this article to help you thoroughly assess the effect on your infrastructure before you deploy directory integration components on virtual machines.

  • Is another model a better fit?

    As you consider the possibility of deploying virtual machines to support your requirements, you should always consider the advantages and drawbacks of this model against the cloud identity model, which is where identities are stored in Azure Active Directory. When using cloud identities, AD FS isn’t required, and dramatically simplifies your deployment.